John Kanen Flowers

Stephen Northcutt - May 26th, 2010

John
“Kanen” Flowers is the founder of nCircle Network Security. Flowers
designed and developed the nCircle Ontology, IP360 – the original
holistic network security solution – “Block on Exposure” and “Intrusion
Prevention.” Flowers was the inventor of
interoperability between discovery and detection systems in network
security. He has agreed to a Thought Leadership interview and we
certainly thank him for his time!

John, were did you get your
start? What was life before Hiverworld/nCircle?

Prior
to nCircle, I worked for Microsoft Corporation and was the Chief
Architect of an early news delivery and filtering system, called
Farcast (later InQuisit), which was purchased by Ask Jeeves (now Ask).
After that, I went on to create technologies in natural language and
search, video, color correction, social networking, benchmarking and
now, once again, network security.

Amazing, can you cook as well? I am amazed at the number of
security thought leaders I meet that are chef level cooks.

I wouldn't call myself "Chef Level" -- but, I do cook. I trained in
Thailand and I am moderately skilled at creating quite a few Thai
dishes, including Tom Yam Kung nam Khan (prawn soup in coconut milk),
Plathu (mackerel), Phat Thai kung (which I learned to cook in Chiang
Mai) and Panang Gai (not technically Thai... more a Malaysian dish). I
make a decent Mi Krop (or Mi Khrob) and I'm learning Pla Nueng Manao --
a fish dish that I consider quite difficult. When I'm not stinking up
the kitchen, my wife tends to cook most meals and is amazing at it.

Can
you tell me just a bit more about what you have done and what you are
working on?

Stephen,
I am an inventor on over a dozen patents, almost
all of which are in the network security and algorithmic and natural
language search fields. My personal blog and full resume can be found
at www.LifeZero.org, where I
discuss life, technology, video, search, network security, programming
and, most recently, the advanced network security tool and platform,
カネ|box.

I went to your website, it is quite interesting, I
was a bit slow on the uptake for navigation, but found the kane|box
paper, love the network history section, what a blast from the past. By
the way, Kane (Kah Nay) means male in Hawaiian. What are some “must
read” papers that you recommend other people read?

I'll
add the Hawaiian meaning to the paper. I love how many different
meanings I can pull out of a single word (I'm a bit of a word nerd), so
that makes my day! As for papers -- "Insertion, Evasion and Denial of
Service" (the classic paper). Everything at
http://techbuddha.wordpress.com (Amrit Williams). Most of the papers
from Owasp.org are worth reading.

Lately, I've been trying to wade through the Metasploit documentation.

That is a great reading list, thank you for that. How did you become
interested in the field of information security?

As
a kid, I read the Legion of Doom technical journals (
http://www.textfiles.com/magazines/LOD/ ) and watched Three Days of the
Condor way too many times. By the time the movie Sneakers came out, I
was working for Microsoft and thought, “I could start a company that
does that.” So, eventually, I did.

Three Days of the Condor,
wow, it has been a long time, I wonder if Netflix
has that on watch instantly (it does, I may rewatch that tonight)?
What product are you working on today? What are some of its
unique characteristics? What differentiates it from the competition?

I
stepped out of network security for a while and created a search engine
that did natural language queries and results. It wasn't much of a
commercial success, but it was purchased by the co-founder of Ask
Jeeves. We did some really interesting things with language and math, but
my first (and true) love remained network security.

nCircle was a decade ago and times
have changed. The stuff that worked then doesn't really work as well
today. I used to refer to IDS as “Network False-Positive Recorders” and
I still think that's true, but there's a more insidious side, which is
false-negatives and – in the case of Intrusion Prevention – that is a
really bad deal.

I was really inspired by Gibson's concepts of
personality constructs and I decided to apply that knowledge.

Whoa,
let me stop you right there; I found this paper,
is this the right Gibson, is there a better paper to point to?

I was thinking more, William Gibson, the author of Neuromancer and --
my personal favorites -- Count Zero and Mona Lisa Overdrive. But, yeah,
that Gibson is a great example. I've read him and find his work very
interesting. I'm also highly interested in virtual economies and how
they mimic real-world economies. When you dig into most things, you'll
find personality at the root of decision-making. That is a big lesson
and one I try to always consider (and remember) with everything I do.

Awesome,
thank
you for that, so back to your idea what are you going to apply
the knowledge of personality constructs to, what are you trying to do?

At
kozoru
(my last company), I wanted to create a system where we indexed
and understood the language of the Internet. But, more than that, I was
interested in the idea of authority, time-based information and bias.
This took me down a path of understanding the interconnectedness of
concepts and language, from a statistical perspective. I wanted to
apply that knowledge to the network security field. The idea being that
both search and network security can be better understood from a
heuristic and a statistical perspective. Turns out, there are some
really great things you can do once you stop building dumb security
products with rules telling them what they should do and how to find
problems.

To that end, I'm working on an Open Source platform, called カネ|box (or
kane|box), which does a number of new and (hopefully) interesting
things in the network security field. It isn't like other tools and
it's a bit hard to describe briefly, but the overall theme is this --
there's an Engine which understands protocols and traffic. That Engine
gets trained on your network, because it is unique and different than
other networks. When the Engine is trained, it can tell you what is
happening in a meaningful way. kane|box does discovery, detection,
deflection and packet scrubbing... but it does more than that too.

I
am intrigued, what more does it do?

You've read the kane|box White Paper and Documentation, so you've seen
either hints toward functionality or flat-out examples of some of the
functionality. The four big areas I am focusing on over the next year
are: Exposure Inferencing, Scrub on Exposure, Geo-targeting and what I
call "Elite Ninja Skills."

And, since you asked...

Exposure Inferencing means the platform looks at traffic on your
network, compares that traffic with a huge set of known acceptable
traffic, adds to that a huge set of known suspicious traffic. All this
traffic goes into the Engine, which determines what is acceptable for
your unique environment and infers a set of edge cases -- things that
probably shouldn't be on your network. As you gather traffic, kane|box
starts creating exception reports for anything that shouldn't be
happening on your network, which includes what I call the "Damage over
Time" attacks (an idea taken from certain online role-playing games).

Scrub on Exposure is a way of doing something with this information.
While kane|box can make different decisions about the threats it has
modeled, one choice I am excited about is the idea of literally
scrubbing the packets going into and out of your network to remove
anything considered hostile. The paper you mention talks more about
this functionality.

Geo-targeting is exciting because -- as far as I know -- kane|box is
the first technology to model threats and apply geo-location
information to those threats. This means, among other things, kane|box
knows whether an attack originated in Germany, France, Africa or
wherever. If you combine geo-location with Damage over Time and
Exposure Inferencing, you can create a historical view of something
valuable; when and how the exposure was created and what kind of
leverage is being applied to your environment.

"Elite Ninja Skills" is a fun way of talking about how the platform can
absorb exposures then use Training Sets to actively test your
environment for vulnerabilities and exposures. Or, put more simply, you
can run an existing tool against kane|box and then kane|box will be
able to test for the same vulnerabilities as that tool. And, because
kane|box isn't one tool with only one function, those newly discovered
ways of testing are compared with a large dataset. In this way,
kane|box can create compound vulnerability and exposure conditions,
based on a huge number of possibilities. In theory, this should allow
kane|box to find new, not-yet-discovered vulnerabilities and exposures,
some of which would be unique to your environment.

What do you think the security products in your space will
look like in two years, what will they be able to do?

Hopefully
they
will get smarter. Network security products are really, really
dumb right now, but they are forgiven because companies spend hundreds
of thousands of dollars creating a pretty interface that management can
see and understand. This is a problem. Reports are important, yes, but
if the product just ignores or doesn't understand anything it's
reporting on, then the reports are useless and giving a false sense of
security (pun intended).

Sadly, I agree that network
security products are pretty dumb, I was interested in the meta rules
from the failed SIEM company Hightower and I am very interested
in speaking with some customers of LogMatrix.
Of the products that are out there, who do you feel has some
significant potential?

I've taken a look at the work being done by White Hat Security, largely
because of my interest in Web Application Firewalling and protection.
Jeremiah Grossman is well-informed. I read his blog regularly and I
remain convinced there will eventually be a decent solution for
preventing web attacks. The White Hat Security guys seem to be going
down an interesting path with their managed solutions. I've also taken
a hard look at Qualys and Cenzic and I am convinced they are very good
at advertising and marketing. There's a decent paper called The
Security Treadmill, aimed at Executives, which talks about some of the
concerns I have.

I like Amrit and the work they are doing at BigFix has some real
potential. It doesn't solve all the problems I am discussing, but it is
a great solution for what it does solve.

I'm also very happy with the work being done at CAPEC.mitre.org. It is
very exciting to see someone thinking about exposures in a holistic
way, rather than just trying to play the counting game and enumerate as
many different micro-threats as possible. I think vendors could learn a
lot about the big picture just by reading through the CAPEC Methods of
Attack View.

Obviously, I am hoping kane|box can address some of the issues we have
discussed here, but -- as the platform is not finished -- time will
eventually determine whether this is the case.

Please
share your impression of the defensive information community. Are we
making progress against the bad guys? Are we losing ground?

Right
now
we are. The bad guys have gone underground. They aren't openly
sharing exposures anymore. They are obfuscating their attacks in so
many ways, it is just impossible to predict with anything rules-based.
I say rules-based, knowing there are people who will wave their hands
and talk about how they're doing something different. But, they aren't.
Everything right now is based on the same, old, broken ideas from ten
years ago. And, remember the Matrix... a system built on rules is
fundamentally brittle and can be circumvented. Until we learn this,
we're going to keep getting compromised and our reports are going to
keep showing how many “threats” were “prevented” by the technology.

And,
the bad guys will keep winning.

I
agree the bad guys are winning. Please share your thoughts concerning
the most dangerous threats information security professionals will be
facing in the next year to eighteen months.

The threat
right now is social. We're all connected to these networks and we give
them all our private information and they largely believe – as
evidenced by Zuckerberg's recent announcements – that they are the
Internet and the Internet is insecure and open. Because of this, and
technologies like Open Graph
(and others), we're just handing our personal information to the bad
guys. I've already seen Bad Gadgets (the 2007 Black Hat presentation,
co-presented by my friend and long-time collaborator Tom Stracener)
and “Ass of Fire” YoVille Awards, both of which are scary... but it's
the stuff you don't see that is even more frightening.

Yes,
I have followed the work of Kevin Johnson on exploiting
Social Media information as well. Why do you think the bad guys are
winning?

I
think we have largely given up on solving security, probably because
everything is costly and nothing truly works properly. That's very sad
to me and I believe it will take years to recover from such an
attitude. But, my hope is we do recover. I saw this same behavior in
the mid-nineties and we got through it, we'll get through it again.

Glad
to
hear you think there is a tunnel at the end of the light! What is
your biggest source of frustration as a member of the defensive
information community?

I've already discussed this, but
in a single phrase, it's the idea of perfuming the pig. Many companies
are completely
disillusioned with security – and they should be. We have to start
giving the good guys tools that work and do what they say, but that
requires a fundamental change in the design and creation of those
tools. It's going to be hard to solve this problem, because enough
companies are still spending big dollars on products with fundamental
flaws in their architecture and design.

We like to give
our interview candidates a bully pulpit, a chance to share what is on
their mind, what makes their heart burn, even if it is totally
unrelated to the rest of the interview. Please share the core message
you want people to know.

I've probably already ranted
enough.

Oh no, you are only a six out of ten on my
rant-o-meter, please continue.

As
you can likely tell, I'm that guy that won't shut up and gets really
frustrated when someone creates a product or technology that does not
work or is not well designed or has a foundation with glaring flaws in
it. Because of this, unfortunately,
I've made a few non-friends in the space. But, I feel like, if someone
calls themselves “good guys” or “white hat” – they have a
responsibility to do something meaningful and try to protect people
from the bad guys. Otherwise, why bother saying you're on the right
side?

I also find it disturbing that, after a decade of hard work, products
are incapable of properly handling either simple obfuscation techniques
or large networks. Data correlation in network security is in the dark
ages. Reporting is single-minded and not based on conditions or changes
over time. We are still counting attacks and ranking them based on
arbitrary scoring systems. Like I said, security products are quite
dumb.

My wake-up call to the security industry would be to stop trying to
imitate everyone else, because what they are doing is broken. We need
new foundations, new mindsets and we need to not be afraid to apply
other technologies to the network security field. Something has to
seriously change for us to succeed.

And the personal
side of your life? Please tell us something about yourself, what do you
do when you are not in front of a computer?

I love
traveling and spend half my time outside the country each year (if
possible). Learning new languages is a kind of hobby for me, I'm into
Japanese again, but spent a lot of time learning Thai and Mandarin and
some Spanish -- as I just spent 9 month traveling throughout Latin
America, I sort of osmotically learned enough to get around.

Mostly, though, I just enjoy doing whatever I can with my wife, whether
it's seeing a movie, going out to eat or just hanging out. Those are
always the great days.